Dr. Trigon wrote:
I would check that xslt is only composed by alphanumeric characters* and do something like "/home/drtrigon/xslt/" + xslt + ".xslt" (this ensures there's no ../ and doesn't contain \0)
I considered this solution, since it sounded to be very easy. BUT the check for alphanum does exclude all files with '-' or '_'. Thus I decided to use my proposal.
Heh, you could have added - and _ to the list of allowed characters (that's why I pointed out *what* I wanted to protect from).
As far as I can see this does protect from '../' and '\0' in the path of the xslt file also - but please correct me if I am wrong here (and you have a scenario where this breaks down).
Spelling out the list of allowed values is always safer, but it is bothersome (I see you listed the folder instead).